DNSChanger: One Infection, Lots Of Problems

The infamous DNSChanger family again got into focus earlier this month, due to the fact that the latest variant is able to inject DHCP “Offer” packets containing rogue DNS server IP addresses into the network traffic. Therefore one infected computer in a network could pose a risk for all the other hosts using DHCP. In this blog entry, we want to outline what risk such network changes would pose.

Rogue DNSChanger servers can typically be found in the range 85.255.112.0/20 of “UkrTeleGroup”, formerly known as “Inhoster”. The oldest malware description in the McAfee Threat Library using these suspicious DNS servers is dated back to 2005 (see DNSChanger.a for more information). Scanning the whole network unveils more than 400 running DNS server instances at the moment. That is, ten percent of the whole IP range consists of nothing other than DNS servers. The whole network is believed to be even bigger, but not all servers in this range are answering to DNS requests at the moment.

A very serious issue with computers using these rogue DNS servers located in the Ukraine is that they resolve a number of security-related domains differently than a benign DNS server would do it. For example, DNSChanger-affected computers could access and surf to ‘www.microsoft.com’ without any changes, but are not able to download the latest updates from ‘download.microsoft.com’.

The 400+ DNS servers resolve the domain name to ’127.0.0.1′, which just means the computer tries to download the patches from the “localhost” address meaning that the bad guys successfully blocked access to important updates. However other security related domains – including ‘download.mcafee.com’ – are blocked like shown in the following screenshot:

The behavior is entirely controlled by the attackers’ DNS servers. These could even redirect existing domain names to servers hosting crafted content (Phishing) or servers dynamically modifying real content. Once your DNS settings are under control, the bad possibilities are unlimited. The criminals controlling these servers could also limit their attacks to regional locations or do their business from “dusk till dawn” to stay under the radar.

The good folks at the “Internet Storm Center” have suggested blocking or at least monitoring the entire range several times, starting first early 2006 because of the bad stuff coming out of this space. If you are a home or small business user and don’t want to route into these Ukraine based network, you could simply block access at the router level like shown in the screenshot below. Many popular “Small Office / Home Office” devices feature such an ACL (Access Control List) feature.

Enterprise customers should force all clients within their network to only use the default DNS server(s) and block access to non-trustworthy servers at the gateway level to ensure no one externally controls your DNS. Internet Service Providers could also mitigate the risk for their customers by dropping connections to these rogue DNS servers and additionally force their customers to only use the ISP’s controlled DNS servers.